Defencelab Rogue Steals Microsoft’s Name (Again)

When you see an online order form that bears Microsoft’s logo and the words “pay to: Microsoft Inc.,” are you any more likely to enter a credit card number into the form and click submit? That’s the psychological experiment currently being undertaken by a company that calls itself DefenceLab, which subjects unsuspecting users to its peculiar blend of fakealert with rogue antivirus.

Last year, our friends at Sunbelt wrote two very interesting blog items about DefenceLab. At the time, DefenceLab was accused of lifting content from the products and Web sites of legitimate comapnies such as Microsoft and AVG, inserting that text into their own Web site. They had stolen AVG‘s “awards” links from that company’s Web site, and posted it on their own; They were also lifting, whole cloth, copy from Microsoft’s Web site, then replacing words in the pages (like “Microsoft”) with “DefenceLab.”

Well these slugs are at it again, only this time they’ve dragged a US-based electronic payment processor into their scam. The payment processor handles the credit card transactions from victims who fall prey to the scam’s fake alert message about a nonexistent infection. Most rogues use fly-by-night processors, based overseas, who provide scant contact information, and never respond to requests for a refund. DefenceLab, however, provides would-be snake oil purchasers with both an email address and toll-free telephone number, in case of a transaction problem.

The only problem I can imagine would be if anyone actually paid perfectly good money to buy their bogus app.

The DefenceLab rogue also uses some time-honored techniques to trap victims, essentially locking nontechnical users out of their computer. Click through to the next page to see exactly how they do it; I’ll even throw in, free of charge, a simple trick that will let you prevent the program from popping up fake antivirus alerts.

In the course of doing his daily work, one of our Threat Research analysts stumbled upon a newer version of the DefenceLab rogue and decided to play along. A Trojan downloader, which itself was foisted on his testbed in a drive-by download, brought down the DefenceLab payloads, which consist of a small number of executable files as well as some scripts.

The first step the rogue takes is to pop up a warning dialog box that appears to come from the Windows User Accounts Control (UAC) service. “An unidentified program wants access to your computer” reads the dialog, which warns that a legitimate Windows component (called csrss.exe) “try direct access to process icq.exe” (sic). In this case, the dialog popped up when the researcher tried to switch to the already-running ICQ instant messenger client application on his test machine. Did I mention that this UAC warning appeared on a Windows XP machine, which does not have the UAC service?

In true form, the fakealert takes front-and-center attention. It has two buttons, labeled “Allow” and “Scan system” — but clicking the “Allow” button does nothing. The dialog box also appears to “grey out” the rest of the operating system, preventing you from using Alt-Tab to switch to another program or interact with any other visible element on the desktop or any open window in the background, but this was just slick sleight-of-hand: The rogue actually takes a screenshot of your desktop before it runs, adds a grey masking layer over the top of this picture, then uses that picture as its background.

So while you’re frantically clicking to get away from the dialog box, all you’re clicking is a picture of your desktop. I easily retrieved the screenshot, which had been saved to the Temp folder on my testbed. Stay classy, DefenceLab.

By the way, if you’re stuck, you can defeat this nasty fakealert by hitting the reset button on the computer. When the computer boots back up, quickly bring up the Task Manager and kill the MSHTA.exe process. MSHTA is a legitimate program, a normal component of the Windows operating system, but DefenceLab abuses it to force its fakealert to pop up and cover the entire desktop. No MSHTA, no fakealert. See, I told you it was easy.

If you relent and click the “Scan system” button, you’re in for the whole rogue antivirus dog-and-pony show: First, a fake scan (really just an animation that runs in a browser window, not unlike the multitudes of other Javascript fakealerts); Next, a fake “scan results” screen which tells you, in essence, that you have a metric ton of infections. Finally, when you click the “remove” button on that dialog, you’re informed that you have to pay $50 for a license before the program will remove anything.

Like I said, the rogue performs the same old scam in a different skin. As with many rogue antivirus scams, this one holds your computer hostage until you pay the ransom license fee.

The notable difference here is the appearance of the order form. DefenceLab’s messaging claims that everything you’ve seen is part of a Microsoft product. The first page of the order form for the rogue (the Security Center AV-Pack) has Microsoft’s logo prominently displayed in the corner, while the text of the order form says, in part, “We here at Microsoft have designed our firewall and antivirus suite to protect every aspect of a PC from viruses, malware, and hackers.” It goes on to provide details about a “Microsoft Virus-Free Guarantee” that claims the software giant will pay up to $500 “for damage costs that could occur as a result of malware.”

Subsequent pages in the order form also contain the Microsoft logo, and notably, the page on the order form where you are asked to enter a credit card number also contains the text “Pay To: Microsoft Inc.”

Our researcher, eager to see where this played out, used one of the “test credit card numbers” widely available on the net to fill in the order form. He was greeted with a screen that invited him to contact the payment processor to help complete the transaction.

It turns out that this particular payment processor (who we will refrain from naming, for the moment) is more closely intertwined with this rogue than we had initially thought. For one thing, the spy actually writes out keys to the Registry which add DefenceLab’s and the processor’s Web domain names to Internet Explorer’s trusted domain list. The processor is also referenced in the strings dumped out of several of DefenceLab’s component files. And best of all, when the order form returned a “declined” result from our use of the test credit card numbers, the form told us to email or call to determine why the payment failed.

When we called the payment processor’s customer service number, a representative on the other end got angry, said some words about the researcher’s mental state that are not repeatable in polite company, and hung up on us when we told him we were given the number in connection with the attempt to purchase of a rogue antivirus product. The second person who answered the phone simply told us that their company has been a partner of DefenceLab for some time, and that DefenceLab is a legitimate software company.

To be fair, when I visited the DefenceLab website and downloaded a free trial version of its DefenceLab Personal Edition software, it didn’t find anything — on exactly the same testbed PC which sent the DefenceLab fakealert into a conniption fit.

We’ve reported the incident to our contacts at Microsoft, as well as to the FTC and the Better Business Bureau. I’m sure someone will have something to say about this. I’m hoping that what Microsoft has to say comes by the ream, and is delivered by people in grey suits in a large, wood-paneled room presided over by a stern-looking, black-robed individual. We could only be so lucky.Thanks to Threat Research Analyst Adam McNeil for the tip, and for suffering indignities over the telephone from a rude “customer service” representative.